diff --git a/SwarselSystems.org b/SwarselSystems.org index e97076e..ea4c228 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -3872,7 +3872,6 @@ My work machine. Built for more security, this is the gold standard of my config personal = true; }; - networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ]; # networking.nftables = { # enable = lib.mkForce false; # firewall.enable = lib.mkForce false; @@ -8867,7 +8866,6 @@ In the respective modules that use home-manager secrets (for example [[#h:506d01 inherit (config.repo.secrets.common.emacs) radicaleUser; certsSopsFile = self + /secrets/repo/certs.yaml; - workSopsFile = self + /secrets/work/secrets.yaml; in { config = { } // lib.optionalAttrs withHomeManager { @@ -8893,8 +8891,6 @@ In the respective modules that use home-manager secrets (for example [[#h:506d01 github-forge-token = { owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; - yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; }; - ucKey = { sopsFile = workSopsFile; owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-noctalia) { radicale-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { @@ -9306,7 +9302,7 @@ This system, while highly pleasant to work with during everyday use, sometimes h #+begin_src nix-ts :tangle modules/nixos/common/pii.nix # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix - { config, inputs, lib, homeLib, nodes, globals, ... }: + { config, inputs, lib, nodes, globals, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -9360,7 +9356,7 @@ This system, while highly pleasant to work with during everyday use, sometimes h secrets = lib.mkOption { readOnly = true; - default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; + default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; type = lib.types.unspecified; description = "Exposes the loaded repo secrets. This option is read-only."; }; @@ -10740,20 +10736,9 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance { options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config"; config = lib.mkIf config.swarselmodules.yubikey { - programs.ssh = { - startAgent = false; # yes we want this to use FIDO2 keys - # enableAskPassword = true; - # askPassword = lib.getExe pkgs.kdePackages.ksshaskpass; - }; - services = { - gnome.gcr-ssh-agent.enable = false; - yubikey-agent.enable = false; - pcscd.enable = true; + programs.ssh.startAgent = false; - udev.packages = with pkgs; [ - yubikey-personalization - ]; - }; + services.pcscd.enable = true; hardware.gpgSmartcards.enable = true; @@ -10772,12 +10757,13 @@ Also, since I use a GPG key in sops, it seems that scdaemon creates an instance }; }; - environment.systemPackages = with pkgs; [ - kdePackages.ksshaskpass + services.udev.packages = with pkgs; [ + yubikey-personalization ]; + }; } - #+end_src +#+end_src ***** Ledger :PROPERTIES: @@ -20034,42 +20020,10 @@ When setting up a new machine: }; - nftables = { - firewall = { - zones = { - virbr = { - interfaces = [ "virbr*" ]; - }; - }; - rules = { - virbr-dns-dhcp = { - from = [ "virbr" ]; - to = [ "local" ]; - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 67 547 ]; - }; - virbr-forward = { - from = [ "virbr" ]; - to = [ "untrusted" ]; - verdict = "accept"; - }; - virbr-forward-return = { - from = [ "untrusted" ]; - to = [ "virbr" ]; - extraLines = [ - "ct state { established, related } accept" - ]; - }; - }; - }; - chains.postrouting.libvirt-masq = { - after = [ "dnat" ]; - rules = [ - "iifname \"virbr*\" masquerade" - ]; - }; + firewall = { + enable = lib.mkDefault true; + trustedInterfaces = [ "virbr0" ]; }; - search = [ "vbc.ac.at" "clip.vbc.ac.at" @@ -20077,24 +20031,6 @@ When setting up a new machine: ]; }; - systemd.services = { - virtqemud.path = with pkgs; [ - qemu_kvm - libvirt - ]; - - virtstoraged.path = with pkgs; [ - qemu_kvm - libvirt - ]; - - virtnetworkd.path = with pkgs; [ - dnsmasq - iproute2 - nftables - ]; - }; - virtualisation = { docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; spiceUSBRedirection.enable = true; @@ -20105,12 +20041,22 @@ When setting up a new machine: runAsRoot = true; swtpm.enable = true; vhostUserPackages = with pkgs; [ virtiofsd ]; + # ovmf = { + # enable = true; + # packages = [ + # (pkgs.OVMFFull.override { + # secureBoot = true; + # tpmSupport = true; + # }).fd + # ]; + # }; }; }; }; environment.systemPackages = with pkgs; [ remmina + # gp-onsaml-gui python39 qemu packer @@ -20119,6 +20065,7 @@ When setting up a new machine: govc terraform opentofu + # dev.terragrunt terragrunt graphviz azure-cli @@ -20142,7 +20089,7 @@ When setting up a new machine: openssh = { enable = true; extraConfig = '' - ''; + ''; }; syncthing = { @@ -20163,9 +20110,10 @@ When setting up a new machine: }; }; + # ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly" udev.extraRules = '' # lock screen when yubikey removed - ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" ''; }; @@ -21231,7 +21179,7 @@ It is very convenient to have SSH aliases in place for machines that I use. This ''; matchBlocks = { "*" = { - forwardAgent = false; + forwardAgent = true; addKeysToAgent = "no"; compression = false; serverAliveInterval = 0; @@ -27546,7 +27494,6 @@ When setting up a new machine: inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; - sopsFile = self + /secrets/work/secrets.yaml; certsSopsFile = self + /secrets/repo/certs.yaml; in { @@ -27691,7 +27638,7 @@ When setting up a new machine: programs = let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds; + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds; in { openstackclient = { @@ -27746,7 +27693,41 @@ When setting up a new machine: }; }; - ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig; + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; firefox = { profiles = @@ -28273,8 +28254,6 @@ When setting up a new machine: path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; - yubikey-1 = { inherit sopsFile; owner = mainUser; }; - ucKey = { inherit sopsFile; owner = mainUser; }; }; }; @@ -33641,225 +33620,104 @@ When holding presentations, I think it is important to not have too many distrac #+begin_src emacs-lisp - (use-package org-present - :bind (:map org-present-mode-keymap - ("q" . org-present-quit) - ("" . swarsel/org-present-prev) - ("<​up>" . 'ignore) - ("<​down>" . 'ignore) - ("" . swarsel/org-present-next)) - :hook ((org-present-mode . swarsel/org-present-start) - (org-present-mode-quit . swarsel/org-present-end)) - :config - (add-hook 'org-present-after-navigate-functions #'swarsel/org-present-slide) - (setq org-present-startup-folded t) - ) + (use-package org-present + :bind (:map org-present-mode-keymap + ("q" . org-present-quit) + ("" . swarsel/org-present-prev) + ("" . 'ignore) + ("" . 'ignore) + ("" . swarsel/org-present-next)) + :hook ((org-present-mode . swarsel/org-present-start) + (org-present-mode-quit . swarsel/org-present-end)) + :config + (add-hook 'org-present-after-navigate-functions #'swarsel/org-present-slide) + ) - (use-package hide-mode-line) + (use-package hide-mode-line) - (defun swarsel/org-reveal-at-point () - "Reveal the org entry at point if it is a heading." - (when (and (derived-mode-p 'org-mode) - (org-at-heading-p)) - (org-show-entry) - (org-show-children))) + (defun swarsel/org-present-start () + (setq-local face-remapping-alist '((default (:height 1.5) variable-pitch) + (header-line (:height 4.0) variable-pitch) + (org-document-title (:height 1.75) org-document-title) + (org-code (:height 1.2) org-code) + (org-verbatim (:height 1.0) org-verbatim) + (org-quote (:height 1.0) org-quote) + (org-verse (:height 1.0) org-verse) + (org-table (:height 0.8) org-table) + (org-block (:height 1.25) org-block) + (org-block-begin-line (:height 0.7) org-block) + )) + (dolist (face '((org-level-1 . 1.1) + (org-level-2 . 1.2) + (org-level-3 . 1.2) + (org-level-4 . 1.2) + (org-level-5 . 1.2) + (org-level-6 . 1.2) + (org-level-7 . 1.2) + (org-level-8 . 1.2))) + (set-face-attribute (car face) nil :font swarsel/variable-font :weight 'medium :height (cdr face))) - (defun swarsel/org-present-maybe-read-only () - "Toggle read-only based on whether cursor is inside a src block." - (if (org-in-src-block-p) - (when buffer-read-only - (org-present-read-write) - (evil-insert-state 1)) - (unless buffer-read-only - (org-present-read-only) - (evil-insert-state 1)))) + (setq header-line-format " ") + (setq visual-fill-column-width 90) + (setq indicate-buffer-boundaries nil) + (setq inhibit-message nil) + ;; (breadcrumb-mode 0) + (org-display-inline-images) + (global-hl-line-mode 0) + ;; (display-line-numbers-mode 0) + (org-modern-mode 0) + (evil-insert-state 1) + (beginning-of-buffer) + (org-present-read-only) + ;; (org-present-hide-cursor) + (swarsel/org-present-slide) + ) + (defun swarsel/org-present-end () + (setq-local face-remapping-alist '((default variable-pitch default))) + (dolist (face '((org-level-1 . 1.1) + (org-level-2 . 0.9) + (org-level-3 . 0.9) + (org-level-4 . 0.9) + (org-level-5 . 0.9) + (org-level-6 . 0.9) + (org-level-7 . 0.9) + (org-level-8 . 0.9))) + (set-face-attribute (car face) nil :font swarsel/variable-font :weight 'medium :height (cdr face))) + (setq header-line-format nil) + (setq visual-fill-column-width 150) + (setq indicate-buffer-boundaries t) + (setq inhibit-message nil) + ;; (breadcrumb-mode 1) + (global-hl-line-mode 1) + ;; (display-line-numbers-mode 1) + (org-remove-inline-images) + (org-modern-mode 1) + (evil-normal-state 1) + ;; (org-present-show-cursor) + ) - (defun swarsel/org-present-narrow (orig-fn &rest args) - (cl-letf (((symbol-function 'show-all) #'ignore)) - (apply orig-fn args)) - (org-overview) - (org-show-entry)) + (defun swarsel/org-present-slide () + (org-overview) + (org-show-entry) + (org-show-children) + ) - (advice-add 'org-present-narrow :around #'swarsel/org-present-narrow) + (defun swarsel/org-present-prev () + (interactive) + (org-present-prev) + (swarsel/org-present-slide)) - (defun swarsel/org-present-start () - (setq-local face-remapping-alist `((default (:height 1.5) variable-pitch) - (header-line (:height 4.0) variable-pitch) - (org-document-title (:height 1.75) org-document-title) - (org-code (:height 1.2) org-code) - (org-verbatim (:height 1.0) org-verbatim) - (org-quote (:height 1.0) org-quote) - (org-verse (:height 1.0) org-verse) - (org-table (:family ,swarsel/fixed-font :weight regular :height 1.2) org-table) - (org-block (:height 1.25) org-block) - (org-link (:underline nil) org-link) - (org-block-begin-line (:height 0.7) org-block) - )) - - (setq header-line-format " ") - (setq visual-fill-column-width 150) - (setq indicate-buffer-boundaries nil) - (setq inhibit-message nil) - (setq org-babel-eval-error-notify t) - ;; (breadcrumb-mode 0) - (org-display-inline-images) - (global-hl-line-mode 0) - ;; (display-line-numbers-mode 0) - ;; (org-modern-mode 0) - (evil-insert-state 1) - (org-present-read-only) - ;; (org-present-hide-cursor) - (org-overview) ; fold everything on start - (add-hook 'post-command-hook #'swarsel/org-reveal-at-point nil t) - (add-hook 'post-command-hook #'swarsel/org-present-maybe-read-only nil t) - ) - - (defun swarsel/org-present-end () - (setq-local face-remapping-alist `((org-verbatim (:family ,swarsel/fixed-font :weight regular) - org-verbatim) - (org-table (:family ,swarsel/fixed-font :weight regular) org-table) - (org-meta-line (:family ,swarsel/fixed-font :weight regular) org-meta-line) - (org-formula (:family ,swarsel/fixed-font :weight regular) org-formula) - (org-checkbox (:family ,swarsel/fixed-font :weight regular) org-checkbox) - (org-latex-and-related (:family ,swarsel/fixed-font :weight regular) - org-latex-and-related) - (org-indent (:family ,swarsel/fixed-font :weight regular) org-indent) - (org-code (:family ,swarsel/fixed-font :weight regular) org-code) - (org-document-info-keyword (:family ,swarsel/fixed-font :weight regular) - org-document-info-keyword) - (org-block-end-line (:family ,swarsel/fixed-font :weight regular) org-block-end-line) - (org-block-begin-line (:family ,swarsel/fixed-font :weight regular) - org-block-begin-line) - (org-block (:family ,swarsel/fixed-font :weight regular) org-block) - (mu4e-compose-header-face (:family ,swarsel/fixed-font :weight regular) - mu4e-compose-header-face) - (mu4e-compose-separator-face (:family ,swarsel/fixed-font :weight regular) - mu4e-compose-separator-face) - (mu4e-contact-face (:family ,swarsel/fixed-font :weight regular) mu4e-contact-face) - (mu4e-link-face (:family ,swarsel/fixed-font :weight regular) mu4e-link-face) - (mu4e-header-value-face (:family ,swarsel/fixed-font :weight regular) - mu4e-header-value-face) - (mu4e-header-key-face (:family ,swarsel/fixed-font :weight regular) - mu4e-header-key-face) - (message-header-other (:family ,swarsel/fixed-font :weight regular) - message-header-other) - (message-header-subject (:family ,swarsel/fixed-font :weight regular) - message-header-subject) - (message-header-xheader (:family ,swarsel/fixed-font :weight regular) - message-header-xheader) - (message-header-newsgroups (:family ,swarsel/fixed-font :weight regular) - message-header-newsgroups) - (message-header-cc (:family ,swarsel/fixed-font :weight regular) message-header-cc) - (message-header-to (:family ,swarsel/fixed-font :weight regular) message-header-to) - (message-header-name (:family ,swarsel/fixed-font :weight regular) - message-header-name) - (markdown-math-face (:family ,swarsel/fixed-font :weight regular) markdown-math-face) - (markdown-language-keyword-face (:family ,swarsel/fixed-font :weight regular) - markdown-language-keyword-face) - (markdown-language-info-face (:family ,swarsel/fixed-font :weight regular) - markdown-language-info-face) - (markdown-inline-code-face (:family ,swarsel/fixed-font :weight regular) - markdown-inline-code-face) - (markdown-gfm-checkbox-face (:family ,swarsel/fixed-font :weight regular) - markdown-gfm-checkbox-face) - (markdown-code-face (:family ,swarsel/fixed-font :weight regular) markdown-code-face) - (line-number-minor-tick (:family ,swarsel/fixed-font :weight regular) - line-number-minor-tick) - (line-number-major-tick (:family ,swarsel/fixed-font :weight regular) - line-number-major-tick) - (line-number-current-line (:family ,swarsel/fixed-font :weight regular) - line-number-current-line) - (line-number (:family ,swarsel/fixed-font :weight regular) line-number) - (font-lock-variable-name-face (:family ,swarsel/fixed-font :weight regular) - font-lock-variable-name-face) - (font-lock-type-face (:family ,swarsel/fixed-font :weight regular) - font-lock-type-face) - (font-lock-string-face (:family ,swarsel/fixed-font :weight regular) - font-lock-string-face) - (font-lock-regexp-grouping-construct (:family ,swarsel/fixed-font :weight regular) - font-lock-regexp-grouping-construct) - (font-lock-regexp-grouping-backslash (:family ,swarsel/fixed-font :weight regular) - font-lock-regexp-grouping-backslash) - (font-lock-preprocessor-face (:family ,swarsel/fixed-font :weight regular) - font-lock-preprocessor-face) - (font-lock-negation-char-face (:family ,swarsel/fixed-font :weight regular) - font-lock-negation-char-face) - (font-lock-keyword-face (:family ,swarsel/fixed-font :weight regular) - font-lock-keyword-face) - (font-lock-function-name-face (:family ,swarsel/fixed-font :weight regular) - font-lock-function-name-face) - (font-lock-doc-face (:family ,swarsel/fixed-font :weight regular) font-lock-doc-face) - (font-lock-constant-face (:family ,swarsel/fixed-font :weight regular) - font-lock-constant-face) - (font-lock-comment-delimiter-face (:family ,swarsel/fixed-font :weight regular) - font-lock-comment-delimiter-face) - (font-lock-builtin-face (:family ,swarsel/fixed-font :weight regular) - font-lock-builtin-face) - (font-latex-sectioning-5-face (:family ,swarsel/fixed-font :weight regular) - font-latex-sectioning-5-face) - (font-latex-warning-face (:family ,swarsel/fixed-font :weight regular) - font-latex-warning-face) - (font-latex-sedate-face (:family ,swarsel/fixed-font :weight regular) - font-latex-sedate-face) - (font-latex-math-face (:family ,swarsel/fixed-font :weight regular) - font-latex-math-face) - (diff-removed (:family ,swarsel/fixed-font :weight regular) diff-removed) - (diff-hunk-header (:family ,swarsel/fixed-font :weight regular) diff-hunk-header) - (diff-header (:family ,swarsel/fixed-font :weight regular) diff-header) - (diff-function (:family ,swarsel/fixed-font :weight regular) diff-function) - (diff-file-header (:family ,swarsel/fixed-font :weight regular) diff-file-header) - (diff-context (:family ,swarsel/fixed-font :weight regular) diff-context) - (diff-added (:family ,swarsel/fixed-font :weight regular) diff-added) - (default (:family "Sans Serif" :weight light) variable-pitch default) - )) - (setq header-line-format nil) - (setq visual-fill-column-width 150) - (setq indicate-buffer-boundaries t) - (setq inhibit-message nil) - (setq org-babel-no-eval-on-error nil) - ;; (breadcrumb-mode 1) - (global-hl-line-mode 1) - ;; (display-line-numbers-mode 1) - (org-remove-inline-images) - ;; (org-modern-mode 1) - (evil-normal-state 1) - ;; (org-present-show-cursor) - (remove-hook 'post-command-hook #'swarsel/org-reveal-at-point t) - (remove-hook 'post-command-hook #'swarsel/org-present-maybe-read-only t) - ) - - (defun swarsel/org-present-slide-open () - (org-overview) - (org-show-entry) - (org-show-children) - ) - - (defun swarsel/org-present-prev () - (interactive) - (beginning-of-buffer) - (org-present-prev) - (swarsel/org-present-slide-open) - ) - - (defun swarsel/org-present-next () - (interactive) - (let* ((next-heading (save-excursion - (when (outline-next-heading) (point)))) - (next-block (save-excursion - (when (re-search-forward "^#\\+begin_src" nil t) - (match-beginning 0)))) - (target (cond - ((and next-heading next-block) (min next-heading next-block)) - (next-heading next-heading) - (next-block next-block) - (t nil)))) - (if (and target (< target (point-max))) - (progn - (goto-char target) - (org-fold-show-entry)) - (org-present-next)))) + (defun swarsel/org-present-next () + (interactive) + (unless (eobp) + (org-next-visible-heading 1) + (org-fold-show-entry)) + (when (eobp) + (org-present-next) + (swarsel/org-present-slide) + )) #+end_src diff --git a/files/emacs/init.el b/files/emacs/init.el index 9846b5b..b412785 100644 --- a/files/emacs/init.el +++ b/files/emacs/init.el @@ -1032,192 +1032,81 @@ create a new one." :bind (:map org-present-mode-keymap ("q" . org-present-quit) ("" . swarsel/org-present-prev) - ("<​up>" . 'ignore) - ("<​down>" . 'ignore) + ("" . 'ignore) + ("" . 'ignore) ("" . swarsel/org-present-next)) :hook ((org-present-mode . swarsel/org-present-start) (org-present-mode-quit . swarsel/org-present-end)) :config (add-hook 'org-present-after-navigate-functions #'swarsel/org-present-slide) - (setq org-present-startup-folded t) ) (use-package hide-mode-line) -(defun swarsel/org-reveal-at-point () - "Reveal the org entry at point if it is a heading." - (when (and (derived-mode-p 'org-mode) - (org-at-heading-p)) - (org-show-entry) - (org-show-children))) - -(defun swarsel/org-present-maybe-read-only () - "Toggle read-only based on whether cursor is inside a src block." - (if (org-in-src-block-p) - (when buffer-read-only - (org-present-read-write) - (evil-insert-state 1)) - (unless buffer-read-only - (org-present-read-only) - (evil-insert-state 1)))) - - -(defun swarsel/org-present-narrow (orig-fn &rest args) - (cl-letf (((symbol-function 'show-all) #'ignore)) - (apply orig-fn args)) - (org-overview) - (org-show-entry)) - -(advice-add 'org-present-narrow :around #'swarsel/org-present-narrow) - (defun swarsel/org-present-start () - (setq-local face-remapping-alist `((default (:height 1.5) variable-pitch) + (setq-local face-remapping-alist '((default (:height 1.5) variable-pitch) (header-line (:height 4.0) variable-pitch) (org-document-title (:height 1.75) org-document-title) (org-code (:height 1.2) org-code) (org-verbatim (:height 1.0) org-verbatim) (org-quote (:height 1.0) org-quote) (org-verse (:height 1.0) org-verse) - (org-table (:family ,swarsel/fixed-font :weight regular :height 1.2) org-table) + (org-table (:height 0.8) org-table) (org-block (:height 1.25) org-block) - (org-link (:underline nil) org-link) (org-block-begin-line (:height 0.7) org-block) )) + (dolist (face '((org-level-1 . 1.1) + (org-level-2 . 1.2) + (org-level-3 . 1.2) + (org-level-4 . 1.2) + (org-level-5 . 1.2) + (org-level-6 . 1.2) + (org-level-7 . 1.2) + (org-level-8 . 1.2))) + (set-face-attribute (car face) nil :font swarsel/variable-font :weight 'medium :height (cdr face))) (setq header-line-format " ") - (setq visual-fill-column-width 150) + (setq visual-fill-column-width 90) (setq indicate-buffer-boundaries nil) (setq inhibit-message nil) - (setq org-babel-eval-error-notify t) ;; (breadcrumb-mode 0) (org-display-inline-images) (global-hl-line-mode 0) ;; (display-line-numbers-mode 0) - ;; (org-modern-mode 0) + (org-modern-mode 0) (evil-insert-state 1) + (beginning-of-buffer) (org-present-read-only) ;; (org-present-hide-cursor) - (org-overview) ; fold everything on start - (add-hook 'post-command-hook #'swarsel/org-reveal-at-point nil t) - (add-hook 'post-command-hook #'swarsel/org-present-maybe-read-only nil t) + (swarsel/org-present-slide) ) (defun swarsel/org-present-end () - (setq-local face-remapping-alist `((org-verbatim (:family ,swarsel/fixed-font :weight regular) - org-verbatim) - (org-table (:family ,swarsel/fixed-font :weight regular) org-table) - (org-meta-line (:family ,swarsel/fixed-font :weight regular) org-meta-line) - (org-formula (:family ,swarsel/fixed-font :weight regular) org-formula) - (org-checkbox (:family ,swarsel/fixed-font :weight regular) org-checkbox) - (org-latex-and-related (:family ,swarsel/fixed-font :weight regular) - org-latex-and-related) - (org-indent (:family ,swarsel/fixed-font :weight regular) org-indent) - (org-code (:family ,swarsel/fixed-font :weight regular) org-code) - (org-document-info-keyword (:family ,swarsel/fixed-font :weight regular) - org-document-info-keyword) - (org-block-end-line (:family ,swarsel/fixed-font :weight regular) org-block-end-line) - (org-block-begin-line (:family ,swarsel/fixed-font :weight regular) - org-block-begin-line) - (org-block (:family ,swarsel/fixed-font :weight regular) org-block) - (mu4e-compose-header-face (:family ,swarsel/fixed-font :weight regular) - mu4e-compose-header-face) - (mu4e-compose-separator-face (:family ,swarsel/fixed-font :weight regular) - mu4e-compose-separator-face) - (mu4e-contact-face (:family ,swarsel/fixed-font :weight regular) mu4e-contact-face) - (mu4e-link-face (:family ,swarsel/fixed-font :weight regular) mu4e-link-face) - (mu4e-header-value-face (:family ,swarsel/fixed-font :weight regular) - mu4e-header-value-face) - (mu4e-header-key-face (:family ,swarsel/fixed-font :weight regular) - mu4e-header-key-face) - (message-header-other (:family ,swarsel/fixed-font :weight regular) - message-header-other) - (message-header-subject (:family ,swarsel/fixed-font :weight regular) - message-header-subject) - (message-header-xheader (:family ,swarsel/fixed-font :weight regular) - message-header-xheader) - (message-header-newsgroups (:family ,swarsel/fixed-font :weight regular) - message-header-newsgroups) - (message-header-cc (:family ,swarsel/fixed-font :weight regular) message-header-cc) - (message-header-to (:family ,swarsel/fixed-font :weight regular) message-header-to) - (message-header-name (:family ,swarsel/fixed-font :weight regular) - message-header-name) - (markdown-math-face (:family ,swarsel/fixed-font :weight regular) markdown-math-face) - (markdown-language-keyword-face (:family ,swarsel/fixed-font :weight regular) - markdown-language-keyword-face) - (markdown-language-info-face (:family ,swarsel/fixed-font :weight regular) - markdown-language-info-face) - (markdown-inline-code-face (:family ,swarsel/fixed-font :weight regular) - markdown-inline-code-face) - (markdown-gfm-checkbox-face (:family ,swarsel/fixed-font :weight regular) - markdown-gfm-checkbox-face) - (markdown-code-face (:family ,swarsel/fixed-font :weight regular) markdown-code-face) - (line-number-minor-tick (:family ,swarsel/fixed-font :weight regular) - line-number-minor-tick) - (line-number-major-tick (:family ,swarsel/fixed-font :weight regular) - line-number-major-tick) - (line-number-current-line (:family ,swarsel/fixed-font :weight regular) - line-number-current-line) - (line-number (:family ,swarsel/fixed-font :weight regular) line-number) - (font-lock-variable-name-face (:family ,swarsel/fixed-font :weight regular) - font-lock-variable-name-face) - (font-lock-type-face (:family ,swarsel/fixed-font :weight regular) - font-lock-type-face) - (font-lock-string-face (:family ,swarsel/fixed-font :weight regular) - font-lock-string-face) - (font-lock-regexp-grouping-construct (:family ,swarsel/fixed-font :weight regular) - font-lock-regexp-grouping-construct) - (font-lock-regexp-grouping-backslash (:family ,swarsel/fixed-font :weight regular) - font-lock-regexp-grouping-backslash) - (font-lock-preprocessor-face (:family ,swarsel/fixed-font :weight regular) - font-lock-preprocessor-face) - (font-lock-negation-char-face (:family ,swarsel/fixed-font :weight regular) - font-lock-negation-char-face) - (font-lock-keyword-face (:family ,swarsel/fixed-font :weight regular) - font-lock-keyword-face) - (font-lock-function-name-face (:family ,swarsel/fixed-font :weight regular) - font-lock-function-name-face) - (font-lock-doc-face (:family ,swarsel/fixed-font :weight regular) font-lock-doc-face) - (font-lock-constant-face (:family ,swarsel/fixed-font :weight regular) - font-lock-constant-face) - (font-lock-comment-delimiter-face (:family ,swarsel/fixed-font :weight regular) - font-lock-comment-delimiter-face) - (font-lock-builtin-face (:family ,swarsel/fixed-font :weight regular) - font-lock-builtin-face) - (font-latex-sectioning-5-face (:family ,swarsel/fixed-font :weight regular) - font-latex-sectioning-5-face) - (font-latex-warning-face (:family ,swarsel/fixed-font :weight regular) - font-latex-warning-face) - (font-latex-sedate-face (:family ,swarsel/fixed-font :weight regular) - font-latex-sedate-face) - (font-latex-math-face (:family ,swarsel/fixed-font :weight regular) - font-latex-math-face) - (diff-removed (:family ,swarsel/fixed-font :weight regular) diff-removed) - (diff-hunk-header (:family ,swarsel/fixed-font :weight regular) diff-hunk-header) - (diff-header (:family ,swarsel/fixed-font :weight regular) diff-header) - (diff-function (:family ,swarsel/fixed-font :weight regular) diff-function) - (diff-file-header (:family ,swarsel/fixed-font :weight regular) diff-file-header) - (diff-context (:family ,swarsel/fixed-font :weight regular) diff-context) - (diff-added (:family ,swarsel/fixed-font :weight regular) diff-added) - (default (:family "Sans Serif" :weight light) variable-pitch default) - )) + (setq-local face-remapping-alist '((default variable-pitch default))) + (dolist (face '((org-level-1 . 1.1) + (org-level-2 . 0.9) + (org-level-3 . 0.9) + (org-level-4 . 0.9) + (org-level-5 . 0.9) + (org-level-6 . 0.9) + (org-level-7 . 0.9) + (org-level-8 . 0.9))) + (set-face-attribute (car face) nil :font swarsel/variable-font :weight 'medium :height (cdr face))) (setq header-line-format nil) (setq visual-fill-column-width 150) (setq indicate-buffer-boundaries t) (setq inhibit-message nil) - (setq org-babel-no-eval-on-error nil) ;; (breadcrumb-mode 1) (global-hl-line-mode 1) ;; (display-line-numbers-mode 1) (org-remove-inline-images) - ;; (org-modern-mode 1) + (org-modern-mode 1) (evil-normal-state 1) ;; (org-present-show-cursor) - (remove-hook 'post-command-hook #'swarsel/org-reveal-at-point t) - (remove-hook 'post-command-hook #'swarsel/org-present-maybe-read-only t) ) -(defun swarsel/org-present-slide-open () +(defun swarsel/org-present-slide () (org-overview) (org-show-entry) (org-show-children) @@ -1225,28 +1114,18 @@ create a new one." (defun swarsel/org-present-prev () (interactive) - (beginning-of-buffer) (org-present-prev) - (swarsel/org-present-slide-open) - ) + (swarsel/org-present-slide)) (defun swarsel/org-present-next () (interactive) - (let* ((next-heading (save-excursion - (when (outline-next-heading) (point)))) - (next-block (save-excursion - (when (re-search-forward "^#\\+begin_src" nil t) - (match-beginning 0)))) - (target (cond - ((and next-heading next-block) (min next-heading next-block)) - (next-heading next-heading) - (next-block next-block) - (t nil)))) - (if (and target (< target (point-max))) - (progn - (goto-char target) - (org-fold-show-entry)) - (org-present-next)))) + (unless (eobp) + (org-next-visible-heading 1) + (org-fold-show-entry)) + (when (eobp) + (org-present-next) + (swarsel/org-present-slide) + )) (defun org-babel-execute:markdown (body params) "Just return BODY unchanged, allowing noweb expansion." diff --git a/hosts/nixos/x86_64-linux/pyramid/default.nix b/hosts/nixos/x86_64-linux/pyramid/default.nix index 25f8485..60d2522 100644 --- a/hosts/nixos/x86_64-linux/pyramid/default.nix +++ b/hosts/nixos/x86_64-linux/pyramid/default.nix @@ -79,7 +79,6 @@ in personal = true; }; - networking.nftables.firewall.zones.untrusted.interfaces = [ "wlan*" "enp*" ]; # networking.nftables = { # enable = lib.mkForce false; # firewall.enable = lib.mkForce false; diff --git a/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc b/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc index 84a7b9f..beb5c3f 100644 --- a/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc +++ b/hosts/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:BicBnOKsCY0s4kAzlRdKKUCIKnxPTaTNg80nXJrXbdZWwBxy93EVpg7gOXq6rpdrPYfbjlo1Ac2OdkYC/G9mCDYxbeE/NqJmYQvRNbn5jzG176CoaBtC4tjvuT4UzrrZ3/6TI2l0QydTBfdLUUFf+PpacBxi3XY34EW0o8mZHScNeMTxrYFIIUaYCtAtYesW+LMxFFk/QMrl1ZKhC+hTGrMaDQYPJ6MqXcUrGDxG1Q/ByYPdo3AuuxXTA9bTAk4FznEKtye0AL9Cc0czwSG0dne7RDDGCWSIKNsTvFWJANyJQDo7akxYtPxMVDXIHRbyouVj2IOi/kIkoknQOHA0se3zW7BUV1eU794p5V4zMSUvcaHczldYIVYIhRXsPnNmWXIhNBwaf+CS0RehZBO+xpJsakkaHckr3YuJo01nENHj+sQNvPCSxacDsYIY/dSqJAVd3zQvZ7lXaJw5TMWP8jmG1DMxVkDNeNrsL3vvTlkdM9+ivydKNW8N2x0LDrkfJm/Xj1VCrnCAjEiufVq1+FDQRPlZlAt2TPCqo16qF4oFbxA6vZKtA3Vz+HMBUSGyRDvkY2SaQxQ2/Jb/28TDMRGeyQNbi0/nwSV3mUMaKa0HaVOGKZ+eX2sc7ryWmu1bioUXJKExaPMRYQI2bRL2tRgaJSkJA67xT5xThyJP1hpH5k5k68/eT7pM0B3TaZ5u8mAj//qAzuVDYkB76IBGbjtb7k4y5Ozv5utoQZSPagPiTRu29uzK7M33NJ679OmCwGqbTjNAjY0F7tfXXn8KH0jdW6J0DL1wyXvG/n56iJWx2K+SMF7IjXcf6grBHPPKR0qWy8flhBl/cpTTLnwWt85/UKyWB1+kegxUwZG/6p935nsZ1OpWux5TLfHnGylNUlHeJSPE3/n9hgcrS9KaarHkdE7agDx90R9jWAlZ/ZKNM+8gWj98owmSo4sQvXfmfo6jX9maH+f3y6AX4YCAyN3Ow9Nchc6AVdtfwsnb/BNXp1xsDtgJllDkjTLeVWZT6W7EKw4+qwo/jlAeVGfUhzPAfr6JzStvrRUwrj0AOV0Ugeh/dDRryrkdsQVjBPSXgtDHL8HVLrp1mqZyhOq68MN+PgSPD9jIV4+E2LnQfR4D+w/+U0btLtOjqn06oUhzVDrmWUetw/N2m/iYrVKR8n1zjRg794+BycJ+Hc/3zPWVhP60FEgOOlIBlrYKzJMn2Q/fdoaFtgRLgGgtLKOgLXDZo1tCy7B7mE7xCtB675JxeVYa+H2KCWuZ9lzD5RRS17aytn4T4jbtb09erg86KOE1g0veqmmY2eC9mXxMom80F8JMuSxiakSuc1P00EPqDNafgr4oiKbxK3Acv0D48ahpVwzzixqJACNGdDwkbhArQySlfAS2eM7DxnH6Nargdmnp5zZsGgIkVABLM3R/b36956dh1VcT3BhDRoUf+a8P8r4r20ybB6TB1LESG/IrjVXF5IBUSzrnVXgxdKBZu3Eyh/8Y8AYiIaQ7T5p257Y27zoL+I+EzekoeNzKy3zk/1r1/TJdqnB+Rv2NHLCo9MtyDeadYc1X1OReCewhkU14iCvZGtjPxKKd5j6qcSF8+5iUbpamt6m2Esef5yQIICZvywcFaBAxARIQMQ4sl20KqssfxuRIeenE/8FmoSs5XQmlQl5isKCJBPlGPN+xQChjaY076GuevPkCZ4oQU6C5WSanBlvdwtihqpGJcrqpUNKUjA6IAZEDATOksn/7urRkKuyJQVnUhxrp5MecrGVxvyQvLfRnKk8+6qBmROVvXiE3qFjePJ59Gdz7UJowX61R9c3xMTKNz4REFjv2VxSb4bESS8+dPDuXHinmJD9OrkhOHJjEltbZomSj63OzBVd2NOe9yI132gKPKrvL6vnRPUDFk4h74RjztcAn6aPvx3qbKw2kxqDTIxgF2y9jMGEYFK3v7vkh6vSGEv0d0jmTzEdkAsn4u0vQju5Wu1XuSXQr9X3LV5uRAeLGiv/KknjXs7SrX6QbJaD20zyDVKbzWyZglPgS9EyB7orPS6+aLTrOeu7es9RNzBXYUWYWEX1bLoWMTUpHHXqNLFSVv6ZG4+E50DCIzPiM86AxgslDvAEILXtrdgnxEQtA4j6Q5d/Tvuf3lCqa5Uubx6CXLGKaB17JMuAvRbnoTE3IqT9tWzddE4TIBlFtvogf8gQGOf3R/rC3PgO3nmEuLc/sFSPr0KxILygAPs3YXAALFtEB2wpzX5ZI9qWdJ4ieC2JyK2R1lwwzTufqwFWfM1o7N3OWThXzyMuUSWXJMiQOC+2iK2HejTC5KmV+7Bqx/oQl+wCk59UBif4Sf03y96nhJ+p32XqErKuBHTZR7v3os1c4Vieq1y4hT043lA406JSf8oFPEYTq7JgAzxzIbDv4l8N08jNiqR3Xrwn1nTIIBcGHehBMPTNp5voUn/FnkRN8jRsRV14IJzADUu0UVtBarEOeXws7kZjifUz4QNtIOAnkW5cOJFzqwDEo223nSoySdxGPuxIjkLQxuUc2OraK4O5ZGA4R9dftkhxCCtSOo4rbUFPTchb6L6fr3jgCSggiMTEvZUOZg4aUq1J+0H5rNZLwCrIr0DrmjOO7L9Zxz7mFh0njLkSlfDRLpbtODqQ9z1ucwU6XuZsQSkn3KmcjxDKA6/uCt+iiMF/EkGfqJmdDqqF9e9DQLoPadnHssE8atwP+UJJArrIWL95Ebzh5X8W4fyaI2oT/xjemVvLhA7t46KFgFel7doZfIM8MusqROi7x0FwFGvLV/j5ujgYMzo7QqVvuS/VPm0IHv8+JzDcixQ/tZ37UWO4xGqH6BAGdQms7qG1pDP6xPCAXXEJAmMm2fj0i9R2z1oajAg77dx5gX/9EN8xhfQknJl+/yTYEUIQPI/2BpQTGROWFM+VDj/43TNP63LU6wD8er5t6h7aYSM29APu1RSqFg8eNquLP6uxU1j3TaItOZhF7BKTtHmIOu1B5tMZsbNgZJpmpbSDX4ocPC+O4Uy2bVELkZmU2qeicq1KRRjXXQBw1edlz+pSf3X8hXl5DbCZu0WTl9s8qG4r4TUNJgDbmG8bbpE/rV9nFToYeihRX8fn7G5O35A9yniSAmVQdZQJ/z4ZvMHnFZ58w5j3BXg2szgBP4SWnDNJJ8Gi5Ijfd1igJNbMw11hVyQSMPxGwwJ3fJGemUDct1vzNgTKTrS7z9mxW3XJeJH9KcdjZjKmMYuOGb7m8r3haAjLjJqxYcelBrDt0ytVwtQPJgycWJMZpszs8qNGQ3Tdb4v4opgQK81j9Un1nWSRq7rq+7anre2yfNawd3uI0+U+u3amXVI8/6+tivwilj1LWn8MMTN46tfLCxYabAg3abY8VhvGhcp+ewh2+vPHrvXpB0STGm6Mda007MQ62nHdRu/jRVM6A4nr+em/PijF3idBpz72DN1jxFJ5ujYKQlvTqkYc0d2tZuckbbEsC3S5G4bxq3EckHgptbIhJIfWDYnS8EfbQEgw4A1WitR+G3Ci68t9d7NkNWsPkC3A2Bd4x4WzuI1qhHVaxS1jkLdwbL3/j9ibabpdwLq9SD0k7W4+9xfLoaQr25eZAGO3fbgfZVf5RKI8yEse+rQuVGew6coNj0zFQieHxTi+Kb4ReLrLizvYcM5C+h0WC5Gzr7vFjGaKutqgr+AxzhXJGf4IjSfKPdqnN2VvKH9KuS3hm+cityvj3svYGMCrHpi8Ntxc4e2tXiYJtM9Fuu3453FhFTrmHVTep6OIcYvbF1jCdl2BXy8mMzVyMwXWH874PIOwvkOev/ioVKpwTTd+5pXqKCOK2JzRV6cb/4sil/2aiAzDjq66Sg9NZYmLMLLtS2wtkTlUTI7yMkE56hTksEWGeANK76TrJUjMyDPiKrJqhWn3+PwXzQDyQjagm5YZwTVX9yxL7lB89+kEhzem8tsRCbcL7wk2EaVYzv7o7v+kKOOAIdCaKWboDoMklshs6YFx4bVLi3hG/Ch6tytlLGqKS1xm7D+kjQLCaE3CX70bu3LaXZJ9AM1QhKNul2AvPFliHRnfaaI+QdOXL8zbWA0WgFZbcRGV5ph50Kg8yHlIrK5KzVim6r/tJtWr7sO0I0f6hy5SbxWCcJztXvGmbXmlrG0QeJwXwvtXWtMn30Yvja5C5JqGpXhr31+fUcaYz6E9cTEt9UahoolUWAK8PlqfwzDiEOa2CUBYOzuB6gjf/Wo1+uM5D77eQaR9sXXrUIIQH4IoT2nVGM3zgt3CnL2KguNQYxP/S73oy0qz5RpB02hGoSOCjxaIN3F5mKj5TuL+FMGueDGmBrYtH4I5rTWZDe+xsbWmZWR3bZXy8CbVTx427jDl0p88VfbRG/gEzBYvzIT0IJNnOgcmlb0AO5nnjO5+kWrCpM0CEdnsjh+2d/PR51XIe4Z+2f4TaZfLecCpZT8rgYfOpW8akhvjUY9LCzwta1bMSyFogVm0I8kXTmYh3iGWECCakK2mjfowFzVLbBzhav0ZSerYDPXqjunmXaO2ByuPIBhCQLRJN3nvhQeVfX83poGtqolHmvJAk+z6EYSBvhvNoMFXPvbrGgEsIllA/hpUUZcstI0I3HwOCUp8pSU18h8naRbV/9KJFbeTHtdaj5tPcIP6LT894XzRBEbl7gbdkUk7lp4MEWKQuXtcMa56FEAqgRSvWwLQdZ4YoIlGbWBua6aPv/2iuL23rAfMSeVdw9gpo97UdKtSGly8s3XijbR3ITuyW6fCLaT6qhdeEXXUC1Hm8gzJ4qLNZ6yszPdEHuEzn9azaQuv2+7aSEQ6ZARsqUfSb7hLa2TCU/bc59WO3xIIaROhlCxTJHUuU6NEiyxvJLPGqqNudTt3cepdx0ZGhM95vLBzdhtVNebDHEZTtMpOiXd4WKEi0SzwufO/XYO+ov6yAp7mwQzR2J6HZbQxV5Op7zqfecXidQ9haytYHRlPNA9L4gj/X5/o8Sx8OIZR5fPX0T/AE2tv0kBwvjQF7ny3Oaq4=,iv:I5pCXGk/JXER4l9Jrqu7PfF1eKgD5OdKNvjA6HE5lfQ=,tag:u2gosk6uo6GN4+JxJsV9Ew==,type:str]", + "data": "ENC[AES256_GCM,data:8y8t7e8XhVy3lc+JcPnFFzI7DTpr+JlXfOKZJu7uX7DczTYQHIZQTrMcFjyBbB8SWJLWLUG8Yd5JGXk377CBX73cxGF+r895lxP+puoKRRzDapkg6y2uN0E3Gr1wnQFB4I8YX7n8UWnj18s3mTIohQHmhoxkuIqu2zvgEGBpMiz3oZIL4zmb8diLXh4PyB1qAI5U5RFWPpkwRWjXteD5m8mqcZ8k4A4l00IMgz2n9MJDQPMjYNITR3XbOlI1qNMYBVb3xuVLXBOBN6x5W4539kGAiHcAi8pOUvBjAXphOEGQ7uLoorAniHx2PPyqReDr5tx47h4RtKJGeGoJ6ZdaFS2LwD10Dkiac330ELLGpSuHoNn7cfw6P8xSyYfreIXbzgavZAlJ1t3fNjEwVtgz63bXL1IX326fP1WcFqBUgAMd8I+VZsxo15j92zZS8gUbdu4KdSMag4dlOa9rgJCLpZGw4UIifHn6RqbH8s/HdisWV2YA3p1/Oowp39Hnr1ZeUecHQCpC2Y/nVLZid9wy4NcIPDbkeb33vMzJ/G5o4EVeYcrnM4J7+KS7aJ4c2bbkRixc1w0bTYeQHFgvM9VBHHEO30t68AGEzju29XeMVi7bzamJZeApPEacMVzzCXlRiAWtPru9JtBYz17VXliMBiEc5Ffo12PXPV7VK/BimKBppJAGNSJiWg/fXawRJNs/fJkLywEL88cf3RYP0Wdy01umjU9tW7Y0W1zc46auKy8KPpCcT0e6kBGmlG2WJje3dNYDFUutFTllV+N7VeDOuZi4oaGrwF1Rz8cAKPrZWMyLX3bMc4EkP7t7h0DoTyXvl3CcA9/wgeCQrLIPLnUTBDTF6jsyt32IjxfiMMBTtR5hLJeM5BzybuYHI2Jbbnt2Ko+tCWOUNdRR7rOYT7o+xzm7g3apcrKIKaufc5YUxdD9asc8uAx+9w7tkg7O/2Ak9qPVgE7HIu9m5O4qaEQn8I1P1GbwiHZeIrfiRzcf6+KgjsLU7i+gCCb3EtMZJUS1CFmlyA+akgsFaunZFYLjg6vUmhQgTKhWooNj3DkdWXWN4bOB/lUyzsCezAD+HfPYyy2pYETRtS/XlpBktSYhP2yLZSxEyjsKBH8roZ/LpNwJV3RuvM+CPstj/pxf23Ayi8LrU1t88Q+/mje1OsMCr67Ltbl+7HXNcpM8zwLUfmTt72YZd1CnoAvbqM3pfecLM1AZEeR+p+xq8tsl1tRE2V0y/SH9kew4UOYRY/eZHmiy8P8Eyjj6/PL+/9+CLU9KGeK/28hGz1u1Ao03FxcPL1AeAeA1mlCNAErT/Q4GUKdDNa5uTHpU86VrMoELtvVaVn3V4AS5I+kTfvI9WF8oaI20U2ysAMpJSiPJyC5AVteyehXAEdGY7bgltvity8arU8efxwmrjbZ29ZWwRezqf1kZLb7pySCfsoqYwCFFDx4s7hD4RF1N4X9GQA5JupUO/+UZTcVX4aud+yf6uTb9yRC5LGjXJj5S03DQ+Vj35nZMUn6xhbPPnEj0uS9yug685mQm/bwUVHIEyoBZfPZquSSh1oolKsKnAPS2+fS13dr2sNuHktq40sJTTglz97ZexoIbZ7Ftx3tzFtqFMhh11EBV4eb0MCu9zwaq5DMoLugXECSkUy6Nfc9XGdRU/x3iIha36jg0wj9MwKNpztNFJzzWSVd8XU5rILbr9yWs4xZKBZq6PFx3NEXCIsJ0kkfc1FUBlnsiYG52A/zcFQZmUAPDy58M4rzLnWjC+qk7jU01Yw6aOcFqqE5kg9+AvYmF8JQ16s17d4o49I/fmL0MYVbSgdXrJZF9ejrkBkIMfu7UgbBlQdJCSW8BFx6zFmg2Y22bh52q8+//PK1rgUKs9RAsAasl8WKrKo+xNgai+1M9eMxg+wsBIP+j4WutMHXPv3AMeqt+JwIPiydPwny49820Z24h49pXPVK0EXTqZl46b7bUvyZqAbDTTDmjb/gOJII/ho6/EeaEUSk/r1NVUehq5S/e/UJagTDI3csmBgEcMYdk5CfoJt0cDeqHgrAo8U8xpURT5BAbeCHwWpI7sE47LZwHStf9WbHyacCGsob+ELvfMvunaY2YmqnlVaYulf0mgmn5YmBI8ouQ2Zc4eklzso+NN6e9j7ODhxPxF/MWKjoi/kpF8eBiEKEbPk0drOS4PcOFEDvbA7fFrwiwUnTqG2+FVBTgyidxDYX70jX5asox5wBc4WAgPXU0WNNb5I2bbenUoGKbDrZ989FblN5I3xnP5kxFq25evPtEvA5R9mwBYtBnd3UBBnDzcsI6gA7o73VW7Y25gfX5ODTRbMjxGYBU+xnNK+B9IOeMGTmFjuqchrlyaSOQ9T2Wx4kNyVUwWRMw/eZPkP6LtEQLVM8iotO6BNcPVqx6dCU4nh19IbjbfyrO0I5ZqSV/PVCRx2Pomceu0EfMpVReFvlIi/UyKROzLuOy6AY1RlthR8gM39l6a6l+WZeukkn+SoAEXeyw4U83K2H9WR6hYcgX0SPGVYfI3C83I0EChET30kiX/rb/fFtb8xdQogA4+R/vR3mPBaGMiWh0WDZVDhNy5/DlwYPYp1zDxtVjQffEhqWS5FqRdw5BsQJQc9glptU5QCgY/ITYwGlaW4OYWokFQWinH0JF9bcCjjjZMT9C52N9ZuZ0muxTT2/UxyhKhX7Eojxq6sz0HJ+TISa5FpUKx/W7I+XqT25n3PtKfnkRDDba+RxDy3bCYo60aOPfR9aCG0VbGLWgc4TQHCmC209rSSIlsD2DhBzFC2lCxasXHIgNAymGfbpOjvqdId9ev1XN0EEd0al4HBUvvGsq9FUeshAWMeWDKu1t0aDKJ6/c4bphThjoAqxtQaGPUFOhNw94PedCBgiRqXN02WZcrnqp/spj+uIfch1F/X5A3jTUev8vq/s7lge7h3CNWXNpBFrW5trdzE8N2Kw3AahsJfZCo/Qd9e6WHIDRgbZFEbKwkTIyeEW8rMv5Ls0Aq+kFvs76muJVnr+Pb7e/GabhgT3pPhYNLQWjPRQYkF2KDKrGUlrc2BkJqRLF3fhI7vQPFphWPl0Lj5idYglIn5v2P2HR9n3Z1+9oyIpmFsqjqILCdoMCDleQOb4DCzXnR5QE4LKg/jjJqqGyO4mAbpwdvN9Q4j1FOUsJNOgMNBUUdEr7n65ktKnJX5wX9cymosRUozgoteb2dblFJjY/pf8toH5kU+YIYmbQR0caw8tdpBl0ETcsaQpF3LbCsSfmN8tZyxS4R/0W782i08IsaN9uXEevlsyFgMg7I2q739fHqJ7kFeosXpKdUpOnmuoLu1A7,iv:9SAQXPwrhy5yjkNxn1lITD77MjqdrYOSlFpUBE8a/fY=,tag:tYApnwq2auUk+/N9alPX3w==,type:str]", "sops": { "age": [ { @@ -7,8 +7,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTXhHajBUQnY4MzJuTW5u\nME4vWHJrRCtQMWhWQ1pvU3h1UWVielFQSFFRCkl2RmpTRDh5Z3Q5UWcwS3RCVHds\nM05GNi8vNnpwS3FZcDBGWVdlZEdyVEUKLS0tIEM1SWdtZGV4QjhpaktRNkw0NDl1\neWlYN0tDMUhsWG1OSm9xWlM2VWJKcXcKa9aySsFOXPdwkmrmFc6X+WZT67vcuJf0\ndd1soIklu7xRuNpGKMuZbNKKgyRZnGrcUZUwwGIlJ2KRDag2risOXw==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2026-03-24T18:37:56Z", - "mac": "ENC[AES256_GCM,data:0VwPHOcQi8uAzo7F+IKpMfs+UlcaKflC8xPYcT1ITY/PNwZD/mSh18oOjZ0J90UepMysHtYRnJ7BxZSYkBCp+GFcYWYdHrNhYdUOvI5wwTz3FCw4ybaZCmepPFIJl/7LOYX7lQnxegGWFyyVpjxGWh2pe3CIbs+g3ev+EPzqA9E=,iv:cTtBXjwJaUImChgTuPfiUqfXheD8QA402+8Fd0FWor8=,tag:WAdYeB690oI0ILqP05sTTQ==,type:str]", + "lastmodified": "2025-10-21T19:32:24Z", + "mac": "ENC[AES256_GCM,data:wM862FQH/qX/abuD+krJOazli9Ci5GrpLtdcnzFgKCeNdjA2cfZ8M3DyzsBwMXjp6HxBHLyO7QXGcQkx3kIKGnRhEBuQzVOtrZhqcDi2Ho8iBV8Dh4xkhcpBYufw7xP8hGWg6ZVZ4JyM3P4NfAdxbfWTdc1VMStAafJ2SZ3pAYI=,iv:tDAKNe8LV40hRCqKzN6j6B71IV81SnrBgerxGPzU4Zk=,tag:7ZsST8pl9TjMog0dNKcUcA==,type:str]", "pgp": [ { "created_at": "2025-12-02T14:58:23Z", @@ -17,6 +17,6 @@ } ], "unencrypted_suffix": "_unencrypted", - "version": "3.12.1" + "version": "3.11.0" } } diff --git a/modules/home/common/ssh.nix b/modules/home/common/ssh.nix index ea81f5e..c4fc482 100644 --- a/modules/home/common/ssh.nix +++ b/modules/home/common/ssh.nix @@ -11,7 +11,7 @@ ''; matchBlocks = { "*" = { - forwardAgent = false; + forwardAgent = true; addKeysToAgent = "no"; compression = false; serverAliveInterval = 0; diff --git a/modules/home/optional/work.nix b/modules/home/optional/work.nix index c9f7640..e1f24fe 100644 --- a/modules/home/optional/work.nix +++ b/modules/home/optional/work.nix @@ -4,7 +4,6 @@ let inherit (confLib.getConfig.repo.secrets.local.mail) allMailAddresses; inherit (confLib.getConfig.repo.secrets.local.work) mailAddress; - sopsFile = self + /secrets/work/secrets.yaml; certsSopsFile = self + /secrets/repo/certs.yaml; in { @@ -149,7 +148,7 @@ in programs = let - inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long path1 site1 site2 site3 site4 site5 site6 site7 clouds; + inherit (confLib.getConfig.repo.secrets.local.work) user1 user1Long user2 user2Long user3 user3Long user4 path1 loc1 loc2 site1 site2 site3 site4 site5 site6 site7 lifecycle1 lifecycle2 domain1 domain2 clouds; in { openstackclient = { @@ -204,7 +203,41 @@ in }; }; - ssh.matchBlocks = confLib.getConfig.repo.secrets.local.work.sshConfig; + ssh = { + matchBlocks = { + "${loc1}" = { + hostname = "${loc1}.${domain2}"; + user = user4; + }; + "${loc1}.stg" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.staging" = { + hostname = "${loc1}.${lifecycle1}.${domain2}"; + user = user4; + }; + "${loc1}.dev" = { + hostname = "${loc1}.${lifecycle2}.${domain2}"; + user = user4; + }; + "${loc2}" = { + hostname = "${loc2}.${domain1}"; + user = user1Long; + }; + "${loc2}.stg" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "${loc2}.staging" = { + hostname = "${loc2}.${lifecycle1}.${domain2}"; + user = user1Long; + }; + "*.${domain1}" = { + user = user1Long; + }; + }; + }; firefox = { profiles = @@ -731,8 +764,6 @@ in path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; - yubikey-1 = { inherit sopsFile; owner = mainUser; }; - ucKey = { inherit sopsFile; owner = mainUser; }; }; }; diff --git a/modules/nixos/client/hardwarecompatibility-yubikey.nix b/modules/nixos/client/hardwarecompatibility-yubikey.nix index 8c5e11e..58b0078 100644 --- a/modules/nixos/client/hardwarecompatibility-yubikey.nix +++ b/modules/nixos/client/hardwarecompatibility-yubikey.nix @@ -6,20 +6,9 @@ in { options.swarselmodules.yubikey = lib.mkEnableOption "yubikey config"; config = lib.mkIf config.swarselmodules.yubikey { - programs.ssh = { - startAgent = false; # yes we want this to use FIDO2 keys - # enableAskPassword = true; - # askPassword = lib.getExe pkgs.kdePackages.ksshaskpass; - }; - services = { - gnome.gcr-ssh-agent.enable = false; - yubikey-agent.enable = false; - pcscd.enable = true; + programs.ssh.startAgent = false; - udev.packages = with pkgs; [ - yubikey-personalization - ]; - }; + services.pcscd.enable = true; hardware.gpgSmartcards.enable = true; @@ -38,8 +27,9 @@ in }; }; - environment.systemPackages = with pkgs; [ - kdePackages.ksshaskpass + services.udev.packages = with pkgs; [ + yubikey-personalization ]; + }; } diff --git a/modules/nixos/common/home-manager-secrets.nix b/modules/nixos/common/home-manager-secrets.nix index 7d6e790..ef4d8a3 100644 --- a/modules/nixos/common/home-manager-secrets.nix +++ b/modules/nixos/common/home-manager-secrets.nix @@ -4,7 +4,6 @@ let inherit (config.repo.secrets.common.emacs) radicaleUser; certsSopsFile = self + /secrets/repo/certs.yaml; - workSopsFile = self + /secrets/work/secrets.yaml; in { config = { } // lib.optionalAttrs withHomeManager { @@ -30,8 +29,6 @@ in github-forge-token = { owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-work) { harica-root-ca = { sopsFile = certsSopsFile; path = "${homeDir}/.aws/certs/harica-root.pem"; owner = mainUser; }; - yubikey-1 = { sopsFile = workSopsFile; owner = mainUser; }; - ucKey = { sopsFile = workSopsFile; owner = mainUser; }; }) // (lib.optionalAttrs (modules ? optional-noctalia) { radicale-token = { owner = mainUser; }; }) // (lib.optionalAttrs modules.anki { diff --git a/modules/nixos/common/pii.nix b/modules/nixos/common/pii.nix index 49f0540..d10ed18 100644 --- a/modules/nixos/common/pii.nix +++ b/modules/nixos/common/pii.nix @@ -1,5 +1,5 @@ # largely based on https://github.com/oddlama/nix-config/blob/main/modules/secrets.nix -{ config, inputs, lib, homeLib, nodes, globals, ... }: +{ config, inputs, lib, nodes, globals, ... }: let # If the given expression is a bare set, it will be wrapped in a function, # so that the imported file can always be applied to the inputs, similar to @@ -53,7 +53,7 @@ in secrets = lib.mkOption { readOnly = true; - default = lib.mapAttrs (_: x: importEncrypted x { inherit lib homeLib nodes globals inputs config; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; + default = lib.mapAttrs (_: x: importEncrypted x { inherit lib nodes globals inputs; inherit (inputs.topologyPrivate) topologyPrivate; }) config.repo.secretFiles; type = lib.types.unspecified; description = "Exposes the loaded repo secrets. This option is read-only."; }; diff --git a/modules/nixos/optional/work.nix b/modules/nixos/optional/work.nix index 2cec98f..b75c41e 100644 --- a/modules/nixos/optional/work.nix +++ b/modules/nixos/optional/work.nix @@ -123,42 +123,10 @@ in }; - nftables = { - firewall = { - zones = { - virbr = { - interfaces = [ "virbr*" ]; - }; - }; - rules = { - virbr-dns-dhcp = { - from = [ "virbr" ]; - to = [ "local" ]; - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 67 547 ]; - }; - virbr-forward = { - from = [ "virbr" ]; - to = [ "untrusted" ]; - verdict = "accept"; - }; - virbr-forward-return = { - from = [ "untrusted" ]; - to = [ "virbr" ]; - extraLines = [ - "ct state { established, related } accept" - ]; - }; - }; - }; - chains.postrouting.libvirt-masq = { - after = [ "dnat" ]; - rules = [ - "iifname \"virbr*\" masquerade" - ]; - }; + firewall = { + enable = lib.mkDefault true; + trustedInterfaces = [ "virbr0" ]; }; - search = [ "vbc.ac.at" "clip.vbc.ac.at" @@ -166,24 +134,6 @@ in ]; }; - systemd.services = { - virtqemud.path = with pkgs; [ - qemu_kvm - libvirt - ]; - - virtstoraged.path = with pkgs; [ - qemu_kvm - libvirt - ]; - - virtnetworkd.path = with pkgs; [ - dnsmasq - iproute2 - nftables - ]; - }; - virtualisation = { docker.enable = lib.mkIf (!config.virtualisation.podman.dockerCompat) true; spiceUSBRedirection.enable = true; @@ -194,12 +144,22 @@ in runAsRoot = true; swtpm.enable = true; vhostUserPackages = with pkgs; [ virtiofsd ]; + # ovmf = { + # enable = true; + # packages = [ + # (pkgs.OVMFFull.override { + # secureBoot = true; + # tpmSupport = true; + # }).fd + # ]; + # }; }; }; }; environment.systemPackages = with pkgs; [ remmina + # gp-onsaml-gui python39 qemu packer @@ -208,6 +168,7 @@ in govc terraform opentofu + # dev.terragrunt terragrunt graphviz azure-cli @@ -231,7 +192,7 @@ in openssh = { enable = true; extraConfig = '' - ''; + ''; }; syncthing = { @@ -252,9 +213,10 @@ in }; }; + # ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.kanshi}/bin/kanshictl switch laptoponly" udev.extraRules = '' # lock screen when yubikey removed - ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" + ACTION=="remove", ENV{PRODUCT}=="3/1050/407/110", RUN+="${pkgs.systemd}/bin/systemctl suspend" ''; }; diff --git a/secrets/work/secrets.yaml b/secrets/work/secrets.yaml index d3b934b..6537a9b 100644 --- a/secrets/work/secrets.yaml +++ b/secrets/work/secrets.yaml @@ -10,8 +10,6 @@ govcds: ENC[AES256_GCM,data:X5R+N9A1ZkCMGJb4yNiAcfPxzQ==,iv:8Yx06B/R/9p6oTOnqPod govchost: ENC[AES256_GCM,data:l/5kcvUQkT/4TYl1j7Ws,iv:Lc+D4ukKkTrIIg8sKy/9NYX1D6xMgL8oEGWZ9DzJtFM=,tag:MuvEJEVYNchT1iDTRPwvbQ==,type:str] govcnetwork: ENC[AES256_GCM,data:Hevnb0fAMbXTrg1CCmAgwZbJ+sxaTUgJLRc=,iv:UoNyPYuKnACv/euoE5SGlsF4/0ni32+ysLc7nM/pCrQ=,tag:jSHYFecVUvmTKr6AmNLbgw==,type:str] govcpool: ENC[AES256_GCM,data:sfglbCi3,iv:UdvDgyI8AAFdfOxKD1sVYCof7rXFPavq8eYDaK6Kp2I=,tag:iMn7XPf0rmql2EiaqsAn8w==,type:str] -yubikey-1: ENC[AES256_GCM,data:iAdCdHCq7S7y7Br1AgTe9+swdPaG7lwI8mX1WbNRC+vobek8/5pjkCGN8cEVNFKkgQKjpKsSDTRHaA2xfEwENpF/7defvuQLzxEJohNJGbDbm8ofy1/y+ICsruylyGhmh9ACT98xfZRwMxT1vGPeYcDlhX6q4k1+sUeoZ17y0nuMJHLS/IRCYobuCbVSCWD5HRXBYIj+qIwS0w6cSiu2idM3P5cgdcvtvldLPOt6txGf2+fjWioaHF6mgQyS6sn4VyT1on8FwFTLqan+rFPldvNlgx+VakEhMKgyo+lMOGH8KrK5gMZyQaZIJ4JH7CvXS3Wyyofd598Q+kmkN/QIIDnAj3dAPiKNk/O5IMrANUHy3dDhb2SZAlYdws5kQaoe3sNwJiBI8FZY1dJxnsXnT2Ii9RFxlW4bt9hWvOElKvcH7esmtRDoO3vJo6oYVanhf1kQpQ6x+//9PM1GkdWZlgLy/3UPok0LnwABW+2/oKO/shafAo/rP11VADcmVBtv93SVkA8JVFbQHEhctKWr61RZGiSXGaWwXu1Jn32HMJw+eiC2gbW5OOFUHPVXpu+BI0tm5tOSFF19ze1Ks2VfN532qVTqIzLY+Y7OD3jHzP5mPr015SLGdg==,iv:etzqt2BFRzxXE32s2XBoTNE79k6jWCkoG+HsqnKLezE=,tag:L+SsPjqUC/vD8oFR5djnxw==,type:str] -ucKey: ENC[AES256_GCM,data:V07A8EsZcqNlggxehQ/RsYFZWkyce+RDUT01zweE2y972WtqX3cyWHI2ZrW0FoVxHdGMW2IEDptqERiBdnJZt9OpnDYkN88/ZGzXHRMPBIhDlxM9+ww9sDepfoA7TIxnkM68TjP4WswkHQejhR/+dQXd0Go7ej5k/83FvHvDJ+RNi7bBN9kwGtlv6O0DeqZwahzjGwlqzQBZD5RoWC+Hv6v50y8KA4tMFUgJmUKpUJKyN12W+Wd8g/aLNzRQWEqy8TadOlg3rOLEYJLiR4lkUUSVUMtRESI+1UKHQzpGgEboC2dcHJ5wwRYHntLtCXy9SuX9Uwbbs/iyehdAmvNp4h9pWocL7GzverAatl3JHznRfyI5HHAUcLwZcAc1yJ1w225PiWjudJGPUTDLyvq0DR8wzZQtiziv4agNqkqtZ53pCPKJvwB5wKvQvbJHB/4l6ZxFNSo20/1GT4HCrSP8Q+w+H25NAM90HFVKWBclv7ZG/hhnbcqCUrE37aWVl/nPVZMThg6ySH3iv51eV4jGUFctzFj0YClmePQH,iv:MhcRyy718AFpwfkUrY40sS5Ry1tFpexx/ck5EF5JRyo=,tag:EQWcodkt9RgKllE02L7yow==,type:str] sops: age: - recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m @@ -23,8 +21,8 @@ sops: VDhiYldnZ3piamFoUHBuU0ZVaGQvbk0K/n41+x2YL/rpaEAUbjvCtyUmw1uwCXVo jmH2cXi/GH4CSoLY6oekq1m9dY/Jxgl7BK+KdRwf79IwhpP98E0xzA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-24T18:20:57Z" - mac: ENC[AES256_GCM,data:0pRVfuZN0rQqGIkOiq91LE0UPxNTY7Os+iR1uMISOyQ8UDdM5aN5LGGYIAOIkFiJBO8CZbXzu1BerywUA6vb3odGq/9J8aQSHOB39wxOssjarPqwLlutMnLzo/eJWdM8c0DJ3pGUUIJPjPcJr9EEblyY9+PYOPt4QgCx/6/JwoQ=,iv:xusha09BS0IX7qZoQXqP3K7EseDLsBA3LHJ8T1bbD0I=,tag:GJmjKk0P0pO9P2aVBAeYQw==,type:str] + lastmodified: "2025-07-03T13:26:17Z" + mac: ENC[AES256_GCM,data:35J6pbaTXcq8zW3wtLqBAHSTaWjCxx+BsOZlKWNwxEOCkGzXIIKFtakZJIaMktgPNLvYOlUEOP7dhjUc5IvJCM5beMSNOjBVJJNnLkKQv5sCJK+4p4uTzXo3Neht/Y3xan4DQItdm5lwwQpyNlCecGynVjqN+F44liyxsAR8gtQ=,iv:gaVY3PUn7NdmBNAvuvij990T5pRrAfqY1qgCPWxGBiA=,tag:CuOMqH34hlQX8WPikAL0qw==,type:str] pgp: - created_at: "2025-12-02T15:00:16Z" enc: |- @@ -58,4 +56,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.12.1 + version: 3.10.2